Is SendGrid HIPAA Conforming?

June 19, 2018


SendGrid is an electronic mail marketing platform that lets businesses to swiftly and easily communicate their marketing mails to clients, however, can the platform be utilized by healthcare companies? Is SendGrid HIPAA conforming?

HIPAA Conforming Electronic mail Facilities

Suppliers of cloud-based electronic mail facilities are not exempted from compliance with HIPAA as per the conduit exception law.

If a HIPAA-protected unit desires to use an electronic mail service to connect with patients, no protected health information (PHI) can be incorporated in the messages unless the conditions of HIPAA are satisfied. If PHI must be included in electronic mails, the electronic mail facility supplier would be categorized as a business associate and a business associate agreement (BAA) would have to be entered into by both factions.

The business associate agreement (BAA) summarizes the duties of the business associate with regard to HIPAA and provides the protected unit with ‘rational guarantees’ that HIPAA Laws will be obeyed by the workforce and the platform contains proper safety controls to make sure the secrecy, integrity, and availability of ePHI.

Besides security controls to avoid messages from being interrupted by illegal people, access controls are essential, and an audit trail should be maintained.

Will SendGrid Initial a Business Associate Agreement?

At the time of writing, SendGrid didn’t initial business associate agreements with HIPAA-protected units, as the company’s platform doesn’t natively support HIPAA-conforming data transmission. Although the electronic mail service does contain safety measures through SMTP, messages are not encoded in transportation and the platform is not planned for use with PHI.

Is SendGrid HIPAA Conforming?

SendGrid can be used for marketing goals, even though PHI should not be contained in any electronic mails. The business clearly declares on its website, “SendGrid doesn’t plan uses of the facility to create duties under The Health Insurance Portability and Accountability Act of 1996” and that its facility must not be used “for any intention or in any way involving Protected Health Information (as described in HIPAA).”